Authentication is the process of confirming an identity. For network interactions, authentication involves the identification of one party by another party. There are many ways to use authentication over networks, such as password-based authentication and certificate-based authentication. A digital certificate, commonly referred to as a certificate, is an electronic document used to identify an individual, a server, a company, or another type of entity and to associate that identity with a public key. Certificates have the purpose of establishing trust. Their usage varies depending on the kind of trust they are used to ensure.
Network interactions typically take place between a client, such as a web browser, and a server. Client authentication refers to the identification of a client (the person assumed to be using the software) by a server, while server authentication refers to the identification of a server (the organization assumed to be running the server at the network address) by a client. Client authentication and server authentication are not the only forms of authentication that certificates support. For example, the digital signature on an email message, combined with the certificate that identifies the sender, can authenticate the sender of the message. Similarly, a digital signature on an HTML form, combined with a certificate that identifies the signer, can provide evidence that the person identified by that certificate agreed to the contents of the form. In addition to authentication, the digital signature in both cases ensures a degree of non-repudiation, because a digital signature makes it difficult for the signer to claim later not to have sent the email or form.
There are two main types of certificates: signing certificates and encryption certificates; although there may be other types of certificates as well. Also, some certificates may be dual-use certificates, such as certificates that operate as a signing certificate as well as an encryption certificate. One example of a signing certificate is a client Secure Sockets Layer (SSL) certificate. A client SSL certificate is used for client authentication to servers over SSL. The SSL protocol governs server authentication, client authentication, and encrypted communication between servers and clients. When using a SSL client certificate to authenticate a client to a server, it is assumed that the client presents a valid certificate that can be used to identify the client to the server. For example, a bank gives a customer an SSL client certificate that allows the bank's servers to identify that customer and authorize access to the customer's accounts. In another example, a company gives a new employee an SSL client certificate that allows the company's servers to identify that employee and authorize access to the company's servers.
Similarly, a SSL server certificate is used for server authentication to clients over SSL. For example, Internet sites that engage in electronic commerce usually support certificate-based server authentication to establish an encrypted SSL session and to assure customers that they are dealing with the web site identified with the company. The encrypted SSL session ensures that personal information sent over the network, such as credit card numbers, cannot easily be intercepted. Server authentication may be used with or without client authentication.
Certificate authorities (CAs) validate identities and issue certificates. CAs can be either independent third parties or organizations running their own certificate-issuing server software, such as a certificate system. The methods used to validate an identity vary depending on the policies of a given CA for the type of certificate being requested. Before issuing a certificate, a CA must confirm the user's identity with its standard verification procedures. The certificate issued by the CA binds a particular public key to the name of the entity identified by the certificate, such as the name of an employee or a server. Only the public key included in the certificate will work with the corresponding private key possessed by the entity identified by the certificate.
In addition to a public key, a certificate typically includes the name of the entity it identifies, an expiration date, and the name of the CA that issued the certificate. In most cases, a certificate also includes the digital signature of the issuing CA. The CA's digital signature allows the certificate to serve as valid credentials for users who know and trust the CA but may not know the entity identified by the certificate. Since certificates have an expiration date, such as, for example, 2-3 years, certificates need to be renewed to avoid expiration. Conventional certificate systems have typically been implemented in a policy framework, in which a policy set defines the available renewal features and corresponding requirements, such as a requirement that a valid, non-expired SSL client certificate has to be presented to approve a renewal request. When the certificate system requires that a requester use a valid, non-expired SSL certificate in order to renew the certificate, the requesting client presents its valid SSL certificate to the certificate system to authenticate the client's identity before the renewal request can be approved. This approach may limit the types of certificates that can be renewed, since not all certificates are SSL certificates. This approach may also limit renewal requests to certificates that have not expired, since a valid, non-expired certificate is required to be presented with the renewal request. This approach is inflexible to scenarios where an entity inadvertently fails to renew the certificate before the expiration date, or where it is impractical or impossible to renew the certificate before the expiration date.
Existing certificate systems fail to provide adequate mechanisms to renew all types of digital certificates, and conventionally are limited to non-expired, signing certificates.